Zawarto¶æ nag³ówka ["Followup-To:" comp.os.linux.security.]
On 14.11.2006, Alexandre Oberlin wrote:
> I have a file encrypted with GPG symmetric encryption (CAST5). The
> passphrase had been given on command line (no keyring used).
> I happen to have the original file as well.
> I guess not but: is there a way to retrieve the passphrase that I used
> to encrypt the file ?

Assume that there is way to retrieve passphrase. What then would be
encryption for?

And remember to set Followup-To: header when crossposting.

--
Niektórzy lubi± dozziego...
Oczywi¶cie szanujemy ich.
Stanislaw Klekot

Alexandre Oberlin wrote:

> Hi all,
>
> I have a file encrypted with GPG symmetric encryption (CAST5). The
> passphrase had been given on command line (no keyring used).
> I happen to have the original file as well.
> I guess not but: is there a way to retrieve the passphrase that I used
> to encrypt the file ?
>
> Thanks for any suggestion,
>
> AO

I dont think there is a way. First you would have to get the hashed key from
the file, then convert it back into the passphrase. Both is one-way ..

Markus Tervooren wrote:
> Alexandre Oberlin wrote:
>
>> Hi all,
>>
>> I have a file encrypted with GPG symmetric encryption (CAST5). The
>> passphrase had been given on command line (no keyring used).
>> I happen to have the original file as well.
>> I guess not but: is there a way to retrieve the passphrase that I used
>> to encrypt the file ?
>>
>> Thanks for any suggestion,
>>
>> AO
>
> I dont think there is a way. First you would have to get the hashed key from
> the file, then convert it back into the passphrase. Both is one-way ..
So it seems I guessed right...
The strange thing is that I managed to enter twice the same BAD
password. Must have been tired !

Thank you,

AO

Stachu 'Dozzie' K. wrote:
> Zawarto¶æ nag³ówka ["Followup-To:" comp.os.linux.security.]
> On 14.11.2006, Alexandre Oberlin wrote:
>> I have a file encrypted with GPG symmetric encryption (CAST5). The
>> passphrase had been given on command line (no keyring used).
>> I happen to have the original file as well.
>> I guess not but: is there a way to retrieve the passphrase that I used
>> to encrypt the file ?
>
> Assume that there is way to retrieve passphrase. What then would be
> encryption for?
Maybe for those who don't have the original file ? ;-)

> And remember to set Followup-To: header when crossposting.
Oops! sorry.

Alexandre Oberlin wrote:

> Markus Tervooren wrote:
>> Alexandre Oberlin wrote:
>>
>>> Hi all,
>>>
>>> I have a file encrypted with GPG symmetric encryption (CAST5). The
>>> passphrase had been given on command line (no keyring used).
>>> I happen to have the original file as well.
>>> I guess not but: is there a way to retrieve the passphrase that I used
>>> to encrypt the file ?
>>>
>>> Thanks for any suggestion,
>>>
>>> AO
>>
>> I dont think there is a way. First you would have to get the hashed key
>> from the file, then convert it back into the passphrase. Both is one-way
>> ..
> So it seems I guessed right...
> The strange thing is that I managed to enter twice the same BAD
> password. Must have been tired !
>
> Thank you,
>
> AO

I could only think of some brute-force-ing, if passphrase is short (<6
Chars)

Markus Tervooren wrote:
> Alexandre Oberlin wrote:
>
>> Markus Tervooren wrote:
>>> Alexandre Oberlin wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have a file encrypted with GPG symmetric encryption (CAST5). The
>>>> passphrase had been given on command line (no keyring used).
>>>> I happen to have the original file as well.
>>>> I guess not but: is there a way to retrieve the passphrase that I used
>>>> to encrypt the file ?
>>>>
>>>> Thanks for any suggestion,
>>>>
>>>> AO
>>> I dont think there is a way. First you would have to get the hashed key
>>> from the file, then convert it back into the passphrase. Both is one-way
>>> ..
>> So it seems I guessed right...
>> The strange thing is that I managed to enter twice the same BAD
>> password. Must have been tired !
>>
>> Thank you,
>>
>> AO
>
> I could only think of some brute-force-ing, if passphrase is short (<6
> Chars)
Seven chars, except if my fingers did some stammering...
I already tried brute force in a batch with the most likely errors
(CAPS, neighbour key, repeated key), without success.
One thing I remember is that I had changed my keymap about the time this
problem showed up, but for a very similar keymap though. The files are
usually decoded in X and recoded at logout when X has exited.

Cheers,

AO

On Tue, 14 Nov 2006 18:36:16 +0100, Alexandre Oberlin wrote:

> Hi all,
>
> I have a file encrypted with GPG symmetric encryption (CAST5). The
> passphrase had been given on command line (no keyring used).
> I happen to have the original file as well.
> I guess not but: is there a way to retrieve the passphrase that I used
> to encrypt the file ?
>
> Thanks for any suggestion,
>
> AO

You are hoping for a "known plaintext attack",
and it does make it easier to crack the key,
but it will probably still take a LOT of work.
.... try the sci.*crypto* groups and work for years...

You are trying to defeat the very point of crypto.
Good luck.
Brute force on a short key is your best hope in the short term.

> I guess not but: is there a way to retrieve the passphrase that I used
> to encrypt the file ?

You need to attack the passphrase, ie try to find it by trying some
passphrases and see if you can decrypt the file.

Without any advantage, the issue of the attack depends on the strength
of the passphrase.

Since you seem to be the one who originally set the passphrase, you can
think of how you build (or used to build) passphrases: do you use a
particular method, like using a well known sentence, replacing some
letters with numbers, or any other possible method? Such a reflexion
might allow you to define one or several algorithms to construct
(potentially very big) lists (dictionaries) of passphrases to test.
Such an "intelligent" dictionary attack has more chances to be
successful than a brute force attack. And who knows? Maybe you remember
the passphrase?

Kind regards
Ludovic

Mike Anonymous Coward wrote:

> You are hoping for a "known plaintext attack",
> and it does make it easier to crack the key,
> but it will probably still take a LOT of work.
I read on http://bent.latency.net/crypto/crypto-summary.html.gz
that "known plain text" does not help a lot with good symmetric ciphers.

I am getting ready to forget about a month of saved notes, but what is
exasperating is that I don't understand what happened, so it could very
well happen again.


The best evidence of intelligent life out there, is that none of them
have contacted us.
-- Anonymous

Alexandre Oberlin
http://www.migo.info/

Ludovic Joly wrote:
>> I guess not but: is there a way to retrieve the passphrase that I used
>> to encrypt the file ?
>
> You need to attack the passphrase, ie try to find it by trying some
> passphrases and see if you can decrypt the file.
>
> Without any advantage, the issue of the attack depends on the strength
> of the passphrase.
>
> Since you seem to be the one who originally set the passphrase, you can
> think of how you build (or used to build) passphrases: do you use a
> particular method, like using a well known sentence, replacing some
> letters with numbers, or any other possible method? Such a reflexion
> might allow you to define one or several algorithms to construct
> (potentially very big) lists (dictionaries) of passphrases to test.
> Such an "intelligent" dictionary attack has more chances to be
> successful than a brute force attack. And who knows? Maybe you remember
> the passphrase?
>

Well I did exactly that: tried some thousands of possible typing errors
from the passphrase that I currently use for such things (mixed letters
and digits from an azerty keyboard).
Yet the mystery persists...
I have been wondering if there was not an obscure keymap related problem.

Thanks for your hints,

AO


--
The best evidence of intelligent life out there, is that none of them
have contacted us.
-- Anonymous

Alexandre Oberlin
http://www.migo.info/

Alexandre Oberlin wrote:
> I am getting ready to forget about a month of saved notes, but what is
> exasperating is that I don't understand what happened, so it could very
> well happen again.

I don't follow you now - don't you have a copy of the plaintext file?

To try to understand what happened, you can go through the same
manipulations with a bogus file and see if the problem can be
reproduced.

Alexandre Oberlin wrote:
> Mike Anonymous Coward wrote:
> > You are hoping for a "known plaintext attack",
> > and it does make it easier to crack the key,
> > but it will probably still take a LOT of work.
> I read on http://bent.latency.net/crypto/crypto-summary.html.gz
> that "known plain text" does not help a lot with good symmetric ciphers.


All good ciphers resist known plaintext attacks. It is one of the most
fundamental requirements of cryptography. All good ciphers also resist
chosen plaintext attacks, where not only does the attacker know the
plaintext, he can also ask for anything he wants to be encrypted.

If it didn't resist known plaintext attacks, then sending an encrypted
email would be broken, since many email's often start with "Dear So and
So" and end with "Sincerely." Or take a Word document with it's tons of
metadata that is generally constant across all documents. Or an
encrypted hard drive with tons of system binaries/libraries that the
attacker knows all the plaintext to.

-Matt

On Thu, 16 Nov 2006 00:38:04 +0100, Alexandre Oberlin wrote:

> I am getting ready to forget about a month of saved notes, but what is
> exasperating is that I don't understand what happened, so it could very
> well happen again.

Note that if you encrypt with a public key, rather than with
a manually entered passphrase, your risk of disaster during
encryption is greatly reduced.

--
To email me, substitute nowhere->spamcop, invalid->net.

Peter Pearson wrote:
> Note that if you encrypt with a public key, rather than with
> a manually entered passphrase, your risk of disaster during
> encryption is greatly reduced.

Except that you now need to protect the private key. You can store that
on a disk/key fob, but you can lose that. Actually I lose physical
items more than I forget passphrases. Or you can encrypt the private
key under a symmetric key (like most software does). Now you have to
remember that key, so you are back at square one.

>Peter Pearson wrote:
>> Note that if you encrypt with a public key, rather than with
>> a manually entered passphrase, your risk of disaster during
>> encryption is greatly reduced.
>
>Except that you now need to protect the private key. You can store that
>on a disk/key fob, but you can lose that. Actually I lose physical
>items more than I forget passphrases. Or you can encrypt the private
>key under a symmetric key (like most software does). Now you have to
>remember that key, so you are back at square one.

An important trick is that you can add extra data (checksum)
to the info protected by the passphrase so if you mistype
the passpharse you get an error message rather than encrypting
your data with a key you won't be able to recover.

--
The suespammers.org mail server is located in California. So are all my
other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other addresses.
These are my opinions, not necessarily my employer's. I hate spam.

On 16 Nov 2006 12:40:07 -0800, Matthew Fanto wrote:
>
> Peter Pearson wrote:
>> Note that if you encrypt with a public key, rather than with
>> a manually entered passphrase, your risk of disaster during
>> encryption is greatly reduced.
>
> Except that you now need to protect the private key. ...

Exactly. So it's not a clouds-part-and-sun-shines-and-birds-sing
kind of solution. In fact, it's a solution that I've
consciously *not* used myself, so far: I keep my password
library in an encrypted text file, and the shell script that
I run to edit that file re-encrypts it by asking me (twice)
for the encryption pass-phrase: that's pretty much the OP's
modus operandi. Inspired by his predicament, I'm considering
switching to the strategy of re-encrypting using my public
key. This will (1) save re-entering the pass-phrase twice
while re-encrypting and (2) eliminate the risk posed by
re-encryption-time brain fuddle, at the cost of making my
password library hostage to my private key. My private key,
however, is encrypted under my very best pass-phrase, and is
backed up in many places, including friends' and relatives'
hard drives. So if I can just remember that one pass-phrase,
all other pass-phrases are at my fingertips.

--
To email me, substitute nowhere->spamcop, invalid->net.

Ludovic Joly wrote:
> Alexandre Oberlin wrote:
>> I am getting ready to forget about a month of saved notes, but what is
>> exasperating is that I don't understand what happened, so it could very
>> well happen again.
>
> I don't follow you now - don't you have a copy of the plaintext file?
>
I have a directory where I store a bunch of personal files.
I wrote scripts to encode or decode them all in a row, with the same
manually entered key. I usually don't modify ALL files in an editing
session. That's why.

> To try to understand what happened, you can go through the same
> manipulations with a bogus file and see if the problem can be
> reproduced.
>

Alexandre Oberlin
http://www.migo.info/

Ludovic Joly wrote:

> To try to understand what happened, you can go through the same
> manipulations with a bogus file and see if the problem can be
> reproduced.
In a way that's what I'm doing since this incident : I encode the
passphrase I type using my public key, then armor it and log it.
$> echo $pass | gpg -e --default-recipient-self | gpg --enarmor >
/tmp/lastpasswd.txt
In case of problem I can retrieve it with
$> cat /tmp/lastpasswd.txt | gpg --dearmor | gpg -d

So if one time I happen to get into the same state of tiredness I was
that morning when I logged out I will be done ;-)

AO

Peter Pearson wrote:
<...>
> So if I can just remember that one pass-phrase,
> all other pass-phrases are at my fingertips.

"One passphrase to rule them all, One passphrase to find them,
One passphrase to bring them all and in the darkness bind them"